Google’s Open Source Programs Manager, Chris DiBona, stormed the IT headlines this week when he stuck his paddle into the computer security world and stirred.

In a blog posting which was at least as far above the line in gung-hovity as it was below the line in orthography, DiBona openly referred to vendors of Android anti-virus software as “charlatans and scammers.”

(To be rectangularly precise, DiBona said that such vendors were “likely as not to be scammers and charlatans”, and he appears to have meant viruses in the strictest sense of the word – malware which can spread by itself.)

And he didn’t just point a finger at the companies which sell mobile anti-virus software. Just by taking employment at such a company, you’ll send DiBona’s personal VU meter into the red:

"IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself [sic]."

Pah.

That's no more helpful to anyone who cares about security and privacy than suggesting that you should be ashamed of working for a company which takes commercial photos of your house without asking (and, with the inevitability of Murphy's Law, just when you haven't mown the front garden after three weeks of lawn-nourishingly rainy weather), stitches them together into a photomontage of your entire suburb, and publishes the results for the world to search and see.

At least DiBona recognises that security isn't something which can be inexorably baked into computing devices – or, at least, into the sort of computing device which is timely, general-purpose, flexible, extensible and fun:

All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets.

In short, bad things can and have happened on mobile devices, though the probability of you being affected is currently small, and your time exposed to danger might be short.

And those bad things can happen despite the sandboxing and security designed into the operating system on those devices. (Try Googling for “root android” or “jailbreak ios”, each of which produces over 30 million hits. The fact that performing either operation has ever been possible denotes a chink in the armour of the as-delivered system.)

C’mon, Google! It’s great that you give your staff the flexibility to have their own opinions in public – it’s one of the things I like about Sophos, by the way: the company doesn’t pretend to own the thoughts of the individuals of whom it consists.

But perhaps you might persuade Mr DiBona to back off a little on security vendors?

And, if it’s not too cheeky at the end of an article like this, why not take a look at some of the tips and tools available from Sophos to help you secure your smartphones and tablets? (No. There’s no anti-virus in there 🙂

Post navigation

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Follow him on Twitter: @duckblog

(Sophos doesn't have an anti-virus for BB devices. But we do have broad-spectrum security and control software for a range of mobile platforms, including Windows Mobile, Android, iOS and, in a couple of week's time, BlackBerry.)

Hmm. I'm not a big fan of our "web gates", either. (That's my opinion, not an official corporate one – see above 🙂

I've always assumed that someone who genuinely wants to be contacted will be happy to leave their name, email address and phone number. Then you can contact them and ask for as much "life history" as they are willing to give, in a much friendlier and more accurate way than by using a bunch of impersonal and mandatory dropdown lists.

OTOH, those who don't want to hear back will just enter something bogus for every field – so why make it needlessly hard for everyone?

If you feel strongly about this issue, may I encourage you to email our marketing team directly and put this question to them?

Our Chief Marketing Officer is a matter of public record – his name is Rainer Gawlick, he's approachable and smart, he's a scientist by training, and he's named on our website.

I don't think I'm betraying any confidences by suggesting that you can email him using rainer dot gawlick at sophos dot com 🙂

But "virus" is these dats also loosely, and commonly, and unexceptionally used to mean "malware of any sort".

Words do that. They drift from general to specific, or from specific to general (synecdoche), or from one use to another. (Android phones, for example, still make reference to "dialling", even though no mobile phone ever made has had a dial 🙂

So you're attacking the man for being specific when uses the word 'virus'?

Even you must concede that his statements are technically correct, albeit laden with a nice sprinkling of hyperbole. When's the last time a virus (ie. self-replicating malware) hit Android? or iOS? Or RIM? The last I heard was a Nokia virus and that was a decade ago.

No one is foolish enough to say that it's not possible, but given mitigation such as sandboxing and secure OS design (as mentioned in the original article), the user ought to be far more concerned with downloading malware manually, from the app store (also as stated in the original article).

Relax Paul, you still have a job, but you do have to accept that AV (as per the specific term, before you start a sweaty tirade against me too) is largely irrelevant on mobile platforms.

> But "virus" is these days also loosely, and commonly, and
> unexceptionally used to mean "malware of any sort".

That is particularly true of "Anti Virus" which really means "Anti Malware". Sure we could be pedantic and rename our products, but that would be going against the grain. Even those who don't know the difference between virus, Trojan and worm still get what AV means. They expect their "Anti Virus" to protect them against all forms of malware.

To try to deny the malware problem on any platform by getting pedantic about the meaning of virus is sticking your head in the sand and missing the point. Even if we don't get old school viruses on mobile, we do see other forms of malware. Therefore AV (ie anti malware) protection is indeed relevant to mobile platforms.

The thing is that there is no such thing as working AV on an Android/iOS/RIM, because those OS-es don't provide the ability for such applications to effectively do what they would need to do: scan (other) apps and the OS.

The lack of "hooks" in the mobile device OS-es for AV is the reason you CAN call these vendors scammers. Some of the solutions cost a fair amount of money compared to app market prices and cannot protect you against anything real. What would you call that if not a scam?

The reality is that 'official' marketplaces have a mechanism for alerting users or revoking applications. Those that choose to ski off-piste should be aware of the dangers…

The biggest problem with the Android security model is that it is very difficult for most people to understand what possible consequences the different permissions has when installing an app. This is made worse by lots of apps require permissions that they don't really need like the phone state one so that advertisers can track you by your IMEI instead of ANDROID_ID as they should (ANDROID_ID doesn't require any special permissions), retrieve running applications because the developer couldn't be bothered to understand the android application lifecycle or read all contacts because they don't like the built-in sharing mechanism in Android. The last one could be solved if there was a built-in action for letting a user select a contact and hand over the data for just that contact to the app instead of as now forcing each app to need to read all contacts.

Don't know how this could be improved without reducing the possibilities for app devs though.

Virus is being used as a generic term more than anything these days. People can relate to virus as a word, whereas "MALWARE" is more tricky.

I myself am guilty of using viruses as a broader term, when I know my audience does not know what spyware, trojans, worms or back-doors are. I spend more time explaining what the threats and exploits can do, and try not to focus as much on their names.

It's all about making security easy to understand for those that might only have a superficial knowledge of the subject matter.

My guess is Google is starting to come under more fire because of their mediocre security model and track record, relative to other mobile OS makers. Android is the fastest growing mobile malware platforms and their sloppy app approval, crappy update dependencies (carrier+manufacturer+Google) and growing non-techie base that will install anything and disregard the security warnings… probably has DiBona a little defensive. Until Google fixes their model, it's going to get worse before it gets better.

He might not call all malware viruses, but that won't stop most of the rest of the world from doing it or bashing the platform for its growing malware problem.

If were so up in arms over definitions, does the author know the meaning of the word geezer?
Ive met Chris a few times and we both look like Penn Jillette so I was surprised that my Google doppleganger is a geezer.
I checked Wikipedia and DeBona turned 40 a month ago.
Geezer is usually referred to older men.

Google's Vint Cerf is a tech geezer.

He's close to 70 and has that cool grey beard.

BS translation below:

>C'mon, Google! It's great that you give your staff the flexibility to have their own >opinions in public – it's one of the things I like about Sophos, by the way: the company >doesn't pretend to own the thoughts of the individuals of whom it consists.

We respect the rights of people to have their own opinions, were pretty Voltarian and proud of it that we have to mention it.

>But perhaps you might persuade Mr DiBona to back off a little on security vendors?

We're like all great 'democrats' we love freedom of opinion but when it doesnt suit us we like the idea of something being able to shut them down.
Needless to say, our company is a big fan of English law super injunctions.
We dont think that these should be used all the time of course but there are time when wed like to make sure no one can say things we dont like.

You do realize Mr. DiBona is talking about non-Microsoft OSes. Their methods of addressing security issues are very different than the Microsoft world… else there would not be a need, or near as much of one for anit-virus programs.